China

Image

China Topic Page

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to privacy in China. The IAPP Resource Center also includes an “Asia” topic page, which can be accessed here.

Featured Resources

ARTICLE SERIES

Top-5 Operational Impacts of China’s PIPL

This 5-part series is written by a host of experts on Chinese law. It explores the most important features of China’s PIPL, from requirements around sensitive personal information, data subject rights, and international data transfers, to the bases for handling data, DPO responsibilities, and enforcement mechanism
Read More

ARTICLE

Practical considerations and insights on contractual necessity under PIPL

This article provides insight on how Chinese regulators, such as the Cyberspace Administration, will release rules and guidance to further clarify provisions of the PIPL, which come in the form of “regulations, administrative measures, guidelines and technical standards.”
Read More

RESOURCE ARTICLE

A practical comparison of the EU, China and ASEAN SCC’s

This resource compares three sets of SCC’s, namely in China, the EU and the ASEAN, based on their key features.
Read More

VIDEO

Chinese SCCs are here: Are you ready?

The Cyberspace Administration of China released the long-awaited Chinese standard contractual clauses. This video discusses what implementing the new SCCs means in practice and where y
Read More

ARTICLE

China’s new cross-border data transfer security assessment guidelines

This article breaks down China’s new cross-border data transfer security assessment guidelines and offers recommendations for companies facing the possibility of noncompliance.
Read More

ARTICLE

China’s PIPL takes effect, compliance ‘a challenge’

With China’s PIPL now in effect and companies seeking to figure out how to best comply and regulators working to answer remaining questions, this article analyzes what companies need to know about the new law.
Read More


Asia-Pacific Dashboard Digest newsletter

Keep up to date with the most important privacy and data protection news from Asia and Australia-New Zealand by subscribing to the Asia-Pacific Dashboard Digest newsletter.

Additional News and Resources

A look at what's in China's new SCCs

The long-awaited Chinese standard contractual clauses and SCC Regulations were finally released by the Cyberspace Administration of China Feb. 24, effective June 1. This indicates that all three major legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation. Application scope According to the SCC Regulation... Read More

China cross-border data transfer mechanism and its implications

China’s rise on the global stage has manifested itself in many ways, and it should be no surprise that China has gained prominence in terms of its privacy and security legislation. In recent years, major pieces of legislation have been promulgated: the 2017 Cybersecurity Law, the 2021 Data Security Law and the 2021 Personal Information Protection Law. One common area of interest arising from those three laws, especially for organizations, is how cross-border data transfers will be addressed and... Read More

Will China’s new certification rules be a popular legal path for outbound data transfers?

On Nov. 1, 2021, China’s Personal Information Protection Law took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However, due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with areas of the PIPL. Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths) that must be met before a cross-border data t... Read More

How China's draft SCCs compare with EU SCCs

On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant to Article 38 of China’s Personal Information Protection Law, under which the government-approved standard contract is one of the lawful transfer mechanisms available that a personal information proce... Read More

Top 5 operational impacts of China’s PIPL — Part 4: Penalties and enforcement mechanisms

The Personal Information Protection Law is the first law dedicated to protecting personal information in China, provides comprehensive penalty and enforcement mechanisms, including administrative penalties, private actions, public interest actions (China’s equivalent of class actions), public security administration, and criminal penalties. Every individual or organization that acts as a data handler, including state organizations as stipulated in Article 33, will be subject to the enforcement o... Read More

Top 5 operational impacts of China's PIPL: Part 3 — Personal information protection officer

China's Personal Information Protection Law has been in effect since Nov. 1, 2021, but privacy professionals and organizations are still trying to fully grasp the law's key provisions and nuances. In this third article in a five-part series exploring the top 5 operational impacts of the PIPL, Xiaomi Head of Security and Privacy Compliance Wenkuan Song analyzes the law's personal information protection officer requirement with a look into which companies need to appoint an officer, general respon... Read More

Top-5 operational impacts of China’s PIPL: Part 2 — Obligations and rights

China's Personal Information Protection Law has been in effect since Nov. 1, 2021, but privacy professionals and organizations are still trying to fully grasp the law's key provisions and nuances. In the second of a series exploring the top-5 operational impacts of the PIPL, Rui Bai Law Firm Head of Corporate Xiaobei Li analyzed the law's legal obligations on businesses in relation to the collection, processing, provision, transfer, deletion and destruction of personal data.Full Story... Read More

Top-5 operational impacts of China's PIPL: Part 1 — Scope, key definitions and lawful handling of personal information

In this five-part series, we examine several facets of the Personal Information Protection Law of the People’s Republic of China, which came into force Nov. 1, after two rounds of public consultation. The drafting of the PIPL was heavily influenced by the EU General Data Protection Regulation, and follows GDPR closely in many areas. However, it has distinct features, scope and exclusions that global companies need to understand. A key threshold distinction between the GDPR and the PIPL relates... Read More

China bans apps over PIPL, DSL violations

South China Morning Post reports China's Ministry of Industry and Information Technology ordered 106 mobile applications to be removed from app stores over violations of the Personal Information Protection Law and Data Security Law. Following investigation and prior scrutiny, the MIIT found the companies hadn't come into compliance with data collection requirements under the law. According to Reuters, Russia banned privacy-focused browser Tor following allegations that it was enabling access ... Read More

China publishes draft data security regulations

The Cyberspace Administration of China released draft regulations for its data security laws, including the Personal Information Protection Law and others, Bloomberg reports. The draft regulations hone in on four categories of data, including personal information, while clarifying how businesses are covered and what is required of them under specific laws. Also addressed in the regulations are provisions around extraterritorial scope, cross-border data transfers, data breach notification require... Read More

China's central bank to crack down on fintech and protect privacy

The People's Bank of China will begin taking action against financial technology companies collecting and using personal data, the South China Morning Post reports. In an 8-minute keynote speech for Hong Kong's 2021 FinTech Week, the central bank's Governor Yi Gang said making stronger data protection is "an urgent matter" in light of companies collecting and leaking personal data. "We are cracking down on excessive collection of consumer data, and unfair practices that require customers to hand... Read More

Web Conference: China's PIPL Law — How it Can Affect You and What You Need to do Now

Original broadcast date: 14 October 2021 China has a new privacy law coming into force on November 1st and it can affect us all. PIPL is their data protection law and anyone who has data on Chinese residents needs to take action. Do you have Chinese visitors to your website, Chinese employees or subcontractors, do you buy from China and have information on people in China? Then you need to know more. Read More

China’s draft algorithm regulations: A first for consumer privacy

The People’s Republic of China broke new ground by announcing draft regulations on the widespread use of algorithmic recommendation technology. The regulations are, according to one expert, the first of their kind globally. And because China will soon exceed one billion internet users — roughly 20% of global internet users — these regulations will cover nearly one in five users on earth. The Internet Information Service Algorithmic Recommendation Management Provisions were released after passag... Read More

China's key enforcement agencies and lessons learned from recent actions

As explained in our previous post, China enacted its first fundamental law in cyberspace, the Cybersecurity Law, in 2016. Five years later, in 2021, China followed up with two more pieces of landmark legislation in this space: the Data Security Law and the Personal Information Protection Law. Taken as a whole, these three laws form an overarching framework that will govern data security, data protection and cybersecurity in China for years to come. Under the framework established by these three... Read More

Analyzing China's PIPL and how it compares to the EU's GDPR

On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress promulgated China’s Personal Information Protection Law, which will take effect Nov. 1, 2021. Serving as China’s first comprehensive law in the personal information protection area and based on China’s Constitution, the PIPL aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1). From a broad... Read More

Introducing China’s New Privacy Law: PIPL

Original Broadcast Date: August 2021 Part of the IAPP Asia Privacy Forum Online 2021 Recently, the National People’s Congress of China adopted the world’s newest comprehensive privacy law — the Personal Information Protection Law. The PIPL isn’t just any other new privacy law, as China is unlike any other country. The world’s second largest economy, China is a superpower in technology and global trade with strength in tech infrastructure and components, AI and online platforms. What does PIPL,... Read More

China adopts national privacy law

The top legislative body in the People's Republic of China voted Friday to adopt a new national privacy law. The Standing Committee of the National People's Congress passed the Personal Information Protection Law at a meeting in Beijing, according to the nation's state-operated Xinhua News Agency. The sweeping law will take effect Nov. 1. With the move, the PRC joins three of the world's top four economies with an omnibus privacy law, leaving the U.S. as the only nation in the top four without ... Read More

China rolls out guidance on IoT security standards

China's Ministry of Industry and Information Technology issued guidelines for the construction of a security standard system for the Internet of Things. The guidance seeks to outline a framework that will promote public network security risk mitigation and prevention, along with development and implementation of standards for the IoT. Software security, access authentication and data security are among the standard requirements listed by MIIT.Full Story... Read More

Shanghai sets up data exchange to improve manufacturing efficiency

Shanghai City is setting up a data exchange to improve efficiency in manufacturing, Reuters reports. Vice Mayor Wu Qing said the city would encourage companies to share some data and improve data regulations. China recently passed its Personal Information Protection Law, which will be implemented 1 Nov. Editor’s note: IAPP Editorial Director Jedidiah Bracy, CIPP, reported details on PIPL’s enactment.Full Story... Read More

CAC unveils draft regulations on 'algorithmic recommendations'

The Cyberspace Administration of China released a draft of its "Internet Information Service Algorithm Recommendation Management Regulations." The regulations are meant to cover the use of "algorithmic recommendation technology" to provide information services within China. Violations could result in fines ranging from 5,000 to 30,000 yuan. The CAC is accepting public comments on the draft regulation until Sept. 26.Full Story... Read More

Shenzhen passes China's first local data law

The Standing Committee of the Shenzhen Municipal People's Congress passed China's first local data law. The "Shenzhen Special Economic Zone Data Regulations" would prohibit applications from restricting services to users who do not agree to data access agreements. Violations of the law could result fines upwards of 50 million yuan. The law will go into effect 1 Jan.Full Story... Read More

The future of data localization and cross-border transfer in China: a unified framework or a patchwork of requirements?

Until now, China’s data localization and cross-border data transfer requirements were not laid out in one piece of legislation but could be found scattered in the Cybersecurity Law and its draft implementing regulations, as well as in various sectoral regulations, which contain specific requirements applicable to data processed by entities in specific sectors.    With the June 10 enactment of the Data Security Law that will take effect Sept. 1 and the upcoming Personal Information Protection La... Read More

Privacy Updates in China and India: 2 Giants Legislating Data Protection

Original Broadcast Date: April 2021 This LinkedIn Live is part of the IAPP Global Privacy Summit Online 2021 web series. China and India, two of the world’s largest markets that account for roughly 2.7 billion people, are both moving toward comprehensive data protection laws. There are expectations in both jurisdictions to see major developments by the end of this year. The two comprehensive data protection bills that have been introduced have some similarities, and certain influences of the E... Read More

China’s central bank seeks to allay digital currency privacy concerns

The People’s Bank of China is working to relieve privacy concerns associated with the nation’s digital currency, saying “controllable anonymity” was a key feature in its design, China Macro Economy reports. Research has shown mobile users are worried about having to share too much personal information, while private businesses do not trust the anonymity of payments. “Establishing both proper identification and privacy in the payment system is key,” Bank of International Settlements Head of Resea... Read More

Chinese government issues new data collection rules

The South China Morning Post reports the Chinese government published new standards for the collection of personal data, specifically defining "necessary" data collection. The definition varies based on the application and its service, but the regulation, which takes effect May 1, curbs app providers from collecting a broad range of data under a bundled consent model. Notably, the regulation will cover 39 categories of apps in some fashion.Full Story... Read More

China's Civil Code now in effect

The Civil Code of the People's Republic of China went into effect 1 Jan., China Daily reports. The code prohibits organizations from sending spam messages via text messages, phone calls and emails, as well as various surveillance activities. "It's the first time that a law defines what privacy is," Haidian District People's Court Judge Chen Changyi said. "In the past it was too vague, and that often gave us difficulties in case hearings and rulings."Full Story... Read More

A look at the extraterritorial applicability of China’s newly issued PIPL: A comparison to the EU's GDPR

On Oct. 21, 2020, the Standing Committee of the National People’s Congress of China released the draft Personal Information Protection Law to solicit public opinions. Many rules of the draft PIPL appear to be similar to those of the EU General Data Protection Regulation, including its territorial applicability.  At first glance, the territorial applicability provisions of the draft PIPL bear some resemblance to those of the GDPR. However, after taking a closer look at the wording of both laws, ... Read More

Beijing Internet Court rules against social media sites in user data cases

The Beijing Internet Court ruled against Tencent Holdings and ByteDance, owner of Douyin and TikTok, in cases alleging misuse of user data, the South China Morning Post reports. Plaintiffs argued Tencent violated users’ privacy by sharing data between the WeRead and WeChat apps. Tencent was ordered to stop sharing the data and pay 6,600 yuan. In a case against Douyin over “people you may know” recommendations, the company was ordered to delete the users’ information and pay 5,231 yuan.Full Story... Read More

Federal case against TikTok claims children’s data sent to China

Twenty separate federal lawsuits filed over the past year on behalf of TikTok users in California and Illinois have been merged into one legal action in federal court, NPR reports. Through their parents, dozens of minors allege that TikTok collects information about their facial characteristics, locations and close contacts and sends that information to China. In a ruling Tuesday, federal judges said the case will be based in the U.S. District Court for the Northern District of Illinois.Full Sto... Read More

China has released its version of COPPA

China has finally released its own version of the U.S. Children's Online Privacy Protection Act. On Aug. 23, the Cyberspace Administration of China released the final version of the "Measures on Online Protection of Children’s Personal Data," which will come into force Oct. 1. The measures provide further clarity on how to protect children’s personal data online under the framework of China's Cyber Security Law. Not only do the measures have a broader application compared to its counterpart in ... Read More